NetScreen 25 with VoIP/SIP

oZEEo · ‎11-15-2011

Hello all.

i have a IP PBX/SIP server with SIP trunk that does not register. this server is in my LAN and i believe that my settings in NetScreen are blocking this registration.

this is my current setup on my NetScreen 25 running firmware 5.4.0r14.0 (Firewall+VPN)

Interfaces:

eth0trust/LAN 192.168.3.254/24 NAT

eth3untrust/WAN XX.XX.XX.202/29Route

All MIPs are done on eth3 interface, including the one for my PBX. IP address of xx.xx.xx.205 is assigned to my PBX on 192.168.3.61.

Policies:

Trust > Untrust

192.168.3.61/32Any Service: SIP/VoiPNAT Source TranslationLogging enabled

Untrust > Trust

AnyMIP(xx.xx.xx.205)Service: SIP/VOIPLoging enabled

on my Trust>untrust logs i do not see anything in my logs, as i think a higher up policy (LAN > ANY) is being used instead. how can i place this policy higher than my LAN > ANY to make sure my NAT SOURCE TRANSLATION is used.

secoundly this is what i am getting on my untrust . trust policy logs.

Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received Close Reason

2012-02-24 01:06:01	87.211.128.138:50147	xx.xx.xx.205:5060	87.211.128.138:50147	192.168.3.61:5060	SIP	21 sec.	206	0	Close - AGE OUT
2012-02-24 01:05:57	87.211.128.138:50196	xx.xx.xx.205:80	87.211.128.138:50196	192.168.3.61:80	HTTP	5 sec.	1670	4951	Close - TCP FIN
2012-02-24 01:05:51	87.211.128.138:50171	xx.xx.xx.205:80	87.211.128.138:50171	192.168.3.61:80	HTTP	4 sec.	1669	6708	Close - TCP FIN

what could be the reason for this?

routeme · ‎02-25-2012

No expert here and I posted this info in my thread too, but Juniper seems to imply that policy based NAT must be used for VOIP.

See #2: [Bidirectional] How to configure one-to-one, bi-directional NAT (MIPs and other NAT combinations)

Important: Use Policy-based NAT vs Interface-based NAT for VoIP traffic.

oZEEo · ‎11-15-2011

Dear routeme, i had a look at these items and the supplimentary material such as

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11909

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11911

as far as i understand, basically what this says is if your communication is bidirectional you should use MIP. Furthermore on the trust > untrust policy NAT Source Translation should be enabled. and this has been done in my setup.

As i mnetioned above my policy for Trust>untrust was under a general policy which over-rules this policy and i did not see anyhting in the log. i just moved my trust>untrust policy to the top and i am getting this data on my log:

Date/Time Source Address/Port Destination Address/Port Translated Source Address/Port Translated Destination Address/Port Service Duration Bytes Sent Bytes Received Close Reason

2012-02-27 17:10:17	192.168.3.61:5060	204.11.192.23:5060	xx.xx.xx.205:5060	204.11.192.23:5060	SIP	79 sec.	3576	Close - AGE OUT
2012-02-27 17:09:57	192.168.3.61:5060	204.11.192.22:5060	xx.xx.xx.205:5060	204.11.192.22:5060	SIP	79 sec.	3576	Close - AGE OUT
2012-02-27 17:09:37	192.168.3.61:5060	204.11.192.39:5060	xx.xx.xx.205:5060	204.11.192.39:5060	SIP	79 sec.	3576	Close - AGE OUT

Any idea why am i getting Close -AGE OUT message?

echidov · ‎11-02-2009

Hi,

This means that the voice gateway does not accept these sessions. This can also be a FW policy on the VOIP provider site.

ScreenOS 5.4 is a very, very old version and NS25 cannot be upgraded to the 6.x. I am sure that the SIP ALG will not work correctly. Try to disable SIP ALG, create a custom SIP service and configure this policy with Application "Ignore".

Custom SIP service:

TCP src port 0-65535, dst port:5060, UDP port range - depends on the vendor!

Also open the SIP access from 204.11.192.23 to your IP PBX.

And, you are right, a MIP is the best choice for this environment.

Kind regards,
Edouard

NetScreen 25 with VoIP/SIP

Re: NetScreen 25 with VoIP/SIP

Re: NetScreen 25 with VoIP/SIP

Re: NetScreen 25 with VoIP/SIP